UK Telco Confirms Data BreachTalkTalk Says Fraudsters Are Using Stolen Data
TalkTalk Telecom Group, based in London, warns that it's suffered a data breach that compromised some customers' names, addresses, as well as account and phone numbers, and that scammers are using this stolen information to launch social-engineering attacks against its customers.
"At the end of last year, we saw an increase in malicious scammers preying on our customers. In a small number of cases, customers told us that the criminals were quoting their TalkTalk account number as well as their phone number," a TalkTalk spokesman tells Information Security Media Group.
TalkTalk says it sent a related e-mail alert to all customers on Feb. 26, warning that fraudsters may be in possession of their personal details and outlining techniques they can use to defend themselves. The alert also noted that legitimate TalkTalk service personnel will never ask them to download and install software - as the scammers have been doing, sign up for tech-support contracts, or request their bank details or complete passwords. The company says that e-mail alert followed a similar alert that it sent to all customers in December.
TalkTalk says it launched a related investigation in December, following an increase in fraud reports from its customers that began in October 2014, and posted advice on defending against scam phone calls. On the company's support forums, customers were complaining that scammers - posing as TalkTalk customer-support personnel - had knowledge of their account numbers, phone numbers and details of their bills, The Guardian first reported in December, saying that at least hundreds of customers appeared to have been targeted.
"Following further investigation into these reports, we have now become aware that some limited, non-sensitive information about some customers could have been illegally accessed in violation of our security procedures," the TalkTalk spokesman now confirms. "We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly."
TalkTalk has 4.2 million customers in the United Kingdom, and is one of the country's 250 biggest businesses, providing mobile network services, as well as television, telecommunications and Internet access, to U.K. businesses and consumers.
While TalkTalk declined to specify how many customers may be at risk due to the breach, the BBC reports that officials estimate the number affected to be in the "small thousands." But some customers have lost the equivalent of thousands of dollars as a result of related fraud, The Guardian reports.
In the wake of the fraud campaign, TalkTalk says it's pursuing legal action against a third party that had access to its internal systems, and that it has blamed for the breach. The Guardian reported in December that the then-suspected breach had been traced to an Indian call center. While TalkTalk declined to confirm that account, saying that the legal matter remains ongoing, it did say that the third party was located overseas.
"We want to re-assure customers that no sensitive information like bank account details has been illegally accessed, and TalkTalk Business customers are not affected," the TalkTalk spokesman adds.
Investigation Under Way
The company also says it's brought in a third-party firm - which it declined to name - to help investigate the breach, and that it's working with the U.K. Information Commissioner's Office, which enforces the country's privacy laws. An ICO spokeswoman confirmed to ISMG: "We are aware of a possible data breach involving TalkTalk and are making enquiries into the circumstances."
But independent information security expert Graham Cluley has questioned why TalkTalk has yet to post a related data breach or fraud campaign alert on its website homepage. He also cautions that if TalkTalk has suffered this attack, then one of its rivals in the U.K. market - such as BT, EE, O2, Sky, Virgin Media and Vodafone - may have also been targeted.
Don't be surprised if we find out #TalkTalk isn't the only ISP/comms operator to have suffered a data breach...ï¿½ Graham Cluley (@gcluley) February 27, 2015